PHP Login and Redirection

[Kirtangl]

Hi Everyone

I have had a lot of help from this site with JavaScript questions, so I know you’re the right guys to ask about PHP.

Just been helping a friend with her dads, home business, website. Anyhow he has asked if its possible to make a login script for his clients. Now I can make a login easy, and have found many sample pages to help. But what he is asking is something different.

What is he asking for? Ok he wants a Client login, when the customer logs in, he is not redirected to the members page, where he can now access all site pages, but redirected to there own page, not accessible from any other client.

Now I have seen things like this, after you login you are directed to like a profile page. That’s sort of what I’m after, but with now profile options, Just info regarding that client.

Because I’m sure I have confused everyone with my ramblings, I made a lil diagram, to kind of show what I want the clients to do.

Thank You Very Much
- Kirt


EDIT: Sorry i just wanted to add, i relise this would probably be a big job, I don't want annyone to spend their hard earned time making this for me, rather pointing me in the direction of something similar i could use, i dont really know PHP, but im willing to learn as I go.

[scragar]

This would probably be best achieved with a single page, for the individual user, that is not hard, what may be hard is letting the users customise this page.

[Kirtangl]

Thats ok, The clients/user is not supposed to edit the page. He does tests for the customer and sends them out a book full of data, I want to put that "book" on a webpage for the cust to read, to save the trees and all lol...

You said one page, would that mean they cannot have multiple pages for each client? if so thats ok, just wondering.

[scragar]

You could do multiple pages, but for the sake of security it's better to keep the real pages to one, and use PHP to generate content for the requested pages, with htaccess you can make the urls look less restricted, maybe something like

mySite.com/myAccount/page2

which apache(or lighttp or IIS(I think)) can convert to mySite.com/myAccount.php?page=2
Then you can read in the username/userID from the cookie/session, and serve the right page, something like:

PHP Code:

if( ! isset($_SESSION['user'])){
  header('Location: message.php?type=error&msg=Not+logged+in');
  exit;
}
$userId = $_SESSION['user'];
$page = mysql_real_escape_string($_GET['page']);
$rs = mysql_query("SELECT * FROM `pages` WHERE `user`={$userId}
  AND (`pageNo`='$page' OR `pageNo`='1' ORDER BY `pageNo` DESC LIMIT 1");

$info = mysql_fetch_assoc($rs);
echo "<h3>Page number: {$info['pageNo']}</h3>
{$info['content']}"; 


[Kirtangl]

*reads franticly through PHP help books*

hehe, sorry I have only ever really done client side. *trashy stuff basicly*, so that code will recognise the userID, and generate a single page for that user, with their data on it.

Im going to have to read up on my_sql data bases aswell arnt I?...

[scragar]

I assumed you would have a database, it's by far the easiest way to manage such a thing. You won't need to learn much of MySQL, phpMyAdmin will guide you through everything you will need, as well as showing the query you can copy paste into PHP if you want to duplicate the effect.

And I am assuming you have set a session for the ID, it's not all that hard to understand http://php.net/sessions

[Kirtangl]

I think I can figure out mySQL, I have looked at the mysqladmin like you said, and I think I sort of understand it. The PHP session thing I’m not so sure about, but that link you added should sort that out. I was wrong to think this was an easy task when i took it on lol, since i know almost nothing about PHP.

[scragar]

OK, how about a comment heavy version:

PHP Code:

if( ! isset($_SESSION['user'])){
// $_SESSION       is an array, containing all the session information for this user
// ['user']       repesents the 'user' element of said array.
// isset()      is a function that returns true or false, dependant on if the argument is set or not.
// !        means not, and inverts the true/false bit
// if(){}   if the content evaluates to true do the bit between the braces
  header('Location: message.php?type=error&msg=Not+logged+in');
// header()      sends a header to the browser, this one tells the browser to redirect to message.php?type=error&msg=Not+logged+in
  exit;
// abort the rest of the page so the browser redirects.
}
// end the if section.
$userId = $_SESSION['user'];
// take the userID out of the session so we can use it easier.
$page = mysql_real_escape_string($_GET['page']);
// get the current page, and make it safe to use with MySQL
$rs = mysql_query("SELECT * FROM `pages` WHERE `user`={$userId}
  AND (`pageNo`='$page' OR `pageNo`='1' ORDER BY `pageNo` DESC LIMIT 1");
// a mysql query, it's not too hard to understand, but I'll do that later.

$info = mysql_fetch_assoc($rs);
// get the result from the query.
echo "<h3>Page number: {$info['pageNo']}</h3>
{$info['content']}";
// write out some text, it looks like this:
/*

<h3>Page number: 2</h3>
This is the content we wanted to put on page 3 and stored in the database.

*/ 


As for the MySQL:

Code:

SELECT *    get everything
FROM `pages`   from a table called pages
WHERE `user`={$userId}  where the user matches up
AND(             and
`pageNo`='$page'   the page number matches what we found in the query string
OR `pageNo`='1'  or the page number is one.
ORDER BY `pageNo`  order the results by the page number
DESC         descending(highest first)
LIMIT 1     only return the first result after it has been sorted

This whole thing works out to mean that if the page ID is invalid or not found then we default back to the page 1, otherwise we load the page requested.

With a little bit of experience and practice this will all become second nature.

[Kirtangl]

WOW!... as i said, i know almost nothing about PHP, but this is somthing els, I should have almost no trouble working this one out, thank you so much.

Is there a credit system in place on this forum or somthing? cos u need a Thumbs up hehe

EDIT: this is gonna sound really dumb, how many fields on my table?

[Kirtangl]

Im so sorry guys, I know what scragar has done is great, and exactly what i want, but i cant seem to work this out, I need to check a few things with u guys,

I made a SQL database, called it, POD, (i didn't think the name mattered), in that, made a table called 'pages' and added 2 fields 'userId' and 'pageNo'. now im not sure how to add the users and the page number, or the password for that matter lol... *fail*

and the php, im not to sure how this works, but i add the <?php ?> tags right?.

thanx
kirt


EDIT: I think i worked out the SQL now

userId PassW pageNo
POD01 password 2

thats what the table looks like...

[scragar]

I would use two tables, one for users, one for pages, a structure something like this:

Code:

users
+--------+-------------+------+-----+---------+----------------+
| Field  | Type        | Null | Key | Default | Extra          |
+--------+-------------+------+-----+---------+----------------+
| userId | int(11)     | NO   | PRI | NULL    | auto_increment | 
| uname  | varchar(63) | NO   |     |         |                | 
| pword  | char(32)    | NO   |     |         |                | 
+--------+-------------+------+-----+---------+----------------+
pages
+---------+-------------+------+-----+---------+----------------+
| Field   | Type        | Null | Key | Default | Extra          |
+---------+-------------+------+-----+---------+----------------+
| pageId  | int(11)     | NO   | PRI | NULL    | auto_increment | 
| owner   | int(11)     | NO   |     |         |                | 
| pageNo  | int(7)      | NO   |     |         |                |
| content | text        | YES  |     |         |                |
+---------+-------------+------+-----+---------+----------------+

The idea for the system is simple, you store a hash of the users password in the users field, something like:

PHP Code:

$username = mysql_real_escape_string($_POST['username']);
$password = md5($_POST['password']);
$rs = mysql_query("SELECT * FROM `users` WHERE `uname`='{$uname}' AND `pword`='{$password}'");
if(mysql_num_rows($rs)){// one or more rows
  $userInfo = mysql_fetch_assoc($rs);
  $_SESSION['user'] = $userInfo['userId'];// get the users ID
  echo "now logged in as {$userInfo['uname']}";
}else{// no rows
  echo "Username or password incorrect.";
} 


[Kirtangl]

Sweet your stil on...

i got this lovley message.

Code:

Access denied for user 'thegould'@'localhost' (using password: NO)

I gather its somthing i have done wrong, my guess, i have to add somthing like mySQL_connect or somthing first dont I? before i can even see the database...

[scragar]

Code:

mysql_connect(HOST, username, password);

Your host will probably be 'localhost', the username and password you would have set during install(at least for the root account, I recommend adding another user as soon as you can http://dev.mysql.com/doc/refman/5.1/...ing-users.html )

[Kirtangl]

I just had a thought, and if im right, i think im doing this all wrong from the start lol...

If I add my User and PWD for the data base in the PHP code, wont everyone be able to read the source code from my site and see it, or am i putting this code in the complete wrong area. I have just been making a .php page and navigating to that... dammit.

[scragar]

I would not put the code into the page, put it in an include.

And your password will be safe as long as your server doesn't act up, PHP is processed on the server, not the browser.

If you can put the file above your web root (normally something like /home/public_html (red hat servers like that)or /var/www (which debian defaults to)).